Windows Patch Frequency - Best Practices?

We have been noticing over the past year that windows updates come fast and furious and to many of our users it has become an annoyance on how often updates are pushed out. Currently we have updates scheduled two days a week and without fail most every device has at least a single update on those days. And even with this schedule we still have clients missing updates due to just random update install issues. We allow most users to defer up to 3 times.

How are other people handling updates? I feel there is a cost / benefit here from a security standpoint to be on top of updates as much as possible.

Prior to implementing Automox, our users machines never really got security updates and/or restarted. When we first implemented Automox we communicated the importance and need for this and found a suitable time and deferral count for users that they accepted.

For user devices, Windows Updates install everyday if picked up however they tend to mostly occur on Patch Tuesday and install then. For our servers it’s more controlled where they are installed out of hours on Patch Tuesday for a pilot group and then more important servers get them a week or 2 later.

We had a similar issue before Automox, windows built in update was really horrible… we did not realize this until we trialed Automox and discovered huge discrepancies between machines as far as update levels.

Thanks for your input on this!

This is unfortunately the new normal. Patching at least once a week greatly reduces emergency patching while keeping the overall amount of patches acceptable. All our Automox customers are moving towards weekly patch schedules.

1 Like

Would consider if you need to run the patches through internal QA (testing) and Change Management. That will also impact how often you run them. Highly recommend to test all patches before deploying to your fleet! We deploy to a test group and a week later we send it out to the rest automatically via schedules. Microsoft has come a long way in patching reliability but its not perfect.

i understand but can you really afford waiting 14 days with the knowledge that the evil side only needs an average of seven days to change a patch into a weapon. Look at HAFNIUM for instance it took less then seven days to be exploited.

we send out patches for known exploited vulnerabilities almost immediately. our normal cadence is to patch a pilot group and then fully rollout a week later.

yeah, i hear the rumblings from our enterprise. especially when feature updates are pushed (and fail and pushed again…).

anyone go thru the microsoft 2-day assessment? use intune? activated automatic updates? because of the challenges we are considering above. auto updates only for work from home devices since they are the hardest to keep updated.